cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
775
Views
1
Helpful
5
Replies

Internal User Identity Group as an ASA Class Value

scamarda
Cisco Employee
Cisco Employee

ISE 2.0 with AnyConnect RA VPN. I am trying to use the internal user's identity group as the Class attribute to assign a group policy on the ASA.  I've tried both IdentityGroup:Name and InternalUser:IdentityGroup in my Authorization Profile:

Access Type = ACCESS_ACCEPT

Class = IdentityGroup:Name

Both configurations end up including the attribute title along with the attribute value:

Result

State     ReauthSession:c0a800fe000a100057331935

Class     User Identity Groups:Contractor

If I use the AD Department value, all that is returned is the attribute value, not the attribute title

Result

State     ReauthSession:c0a800fe00095000573234a5

Class     IT

How can I use the Internal User Identity Group to assign the Class Value to the ASA for Group-Policy?

1 Accepted Solution

Accepted Solutions

Timothy Abbott
Cisco Employee
Cisco Employee

Hi,

Are you trying for the following in an authorization profile?

Access Type = ACCESS_ACCEPT

Class = Contractor

Regards,

-Tim

View solution in original post

5 Replies 5

Timothy Abbott
Cisco Employee
Cisco Employee

Hi,

Are you trying for the following in an authorization profile?

Access Type = ACCESS_ACCEPT

Class = Contractor

Regards,

-Tim

scamarda
Cisco Employee
Cisco Employee

Yes.  I am getting the whole string but only need the value.  I am getting "User Identity Groups:Contractor".  The ASA is expecting "Contractor".  How do I strip off "User Identity Groups"?

I don't believe you can strip that part of the attribute.  Would it be possible to create group policy on the ASA that matches the Class value returned?  For example:

Auth Profile:

Access Type = ACCESS_ACCEPT

Class = IdentityGroup:Contractor

ASA Group Policy:

IdentityGroup:Contractor

Regards,

-Tim

I can try that as a workaround. Is there another way to accomplish what I am trying to do?

I believe you may use a value of a regular attribute (built-in or customized) for an internal user.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: